Virus Top Twenty for July 2007

01 Aug 2007
Virus News

Position Change in position Name Proactive
Detection Flag
Percentage
1. New! New Email-Worm.Win32.Warezov.pk not detected – Downloader* 22.72
2. Down -1 Email-Worm.Win32.NetSky.q Trojan.generic 14.22
3. Down -1 Email-Worm.Win32.Bagle.gt Trojan.generic 8.67
4. Down -1 Email-Worm.Win32.NetSky.t Trojan.generic 6.79
5. Up +1 Worm.Win32.Feebs.gen Hidden Data Sending 6.47
6. Down -2 Email-Worm.Win32.NetSky.aa Trojan.generic 6.22
7. No Change 0 Net-Worm.Win32.Mytob.c Trojan.generic 4.04
8. Up +2 Email-Worm.Win32.Mydoom.l Trojan.generic 3.57
9. Up +2 Email-Worm.Win32.Nyxem.e Trojan.generic 3.3
10. Up +7 Exploit.Win32.IMG-WMF.y 2.58
11. Up +1 Email-Worm.Win32.NetSky.b Trojan.generic 2.57
12. Up +7 Email-Worm.Win32.NetSky.x Trojan.generic 1.60
13. Up +3 Net-Worm.Win32.Mytob.t Worm.P2P.generic 1,53
14. Up +4 Net-Worm.Win32.Mytob.u Worm.P2P.generic 1,34
15. Return Return Email-Worm.Win32.Mydoom.m Trojan.generic 1,23
16. New! New Email-Worm.Win32.Womble.d Trojan.generic 1.21
17. Return Return Email-Worm.Win32.Scano.gen Trojan.generic 1.20
18. Return Return Email-Worm.Win32.Zhelatin.dam [Damaged] 1.00
19. Down -6 Virus.Win32.Grum.a not detected – Virus*** 0.92
20. Return Return Email-Worm.Win32.LovGate.w Trojan.generic 0.62
Other malicious programs 8.12
* — Downloader, results in an error if the file is missing from the site. ** — a file in the WMF graphics format.

*** — The PDM module is not intended for combating classic computer viruses

The activity of the botnet that was created in May via the Agent.bqs Trojan was only reaching its “design capacity” in June; by July it was in full swing. Another member of the Warezov family, which is distributed by this zombie network, reached the top position on the chart, accounting for 22% of the malicious code in mail traffic. Although there were 4 Warezov variants in our June rankings and only one on our July charts, this does not mean that the threat has abated. On the contrary, the top position achieved in July will be followed by more spam-and-virus mailings, which in a few months will probably culminate in another “Warezov madness” comparable to one that took place in October 2006, when we detected more than twenty new variants of the worm every day. Veterans of the virus scene, NetSky.q and .t, have each moved one position down, but in percentage terms their presence in mail traffic has remained almost at the same level as last month – 14% and 16% respectively. Bagle.gt has also moved one position down but remained one of the top three malicious programs. On the whole, despite the blast-off of Warezov.pk, which was first detected on June 26 and peaked in early July, the situation remains stable (it is actually quite rare for the rankings to be so stable, with Warezov.pk being one of only two newcomers to the Top Twenty). The conditions are not favorable for new global epidemics, so the main threat is posed by local attacks targeting users from individual countries. In general, in the top fifteen positions of the chart there was some shifting among old worms. The most significant growth in July (+7 positions) was demonstrated by Exploit.Win32.IMG-WMF.y. There is a good reason for this: the second newcomer in our ranking, the Womble.d mail worm, uses this exploit as one of its methods of spreading. This is a relatively old worm, “released” in September 2006, but it is only now that it has managed to spread noticeably. It is worth mentioning that Scano.gen and LovGate.w are back to our Top Twenty charts, though these worms are unlikely to make much of an impact in the coming months. Also noteworthy is the return appearance of the Zhelatin.dam variant, which may be an indication that this family is not going away any time soon. Other malicious programs made up 8.12% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.

Summary:

  • New: Email-Worm.Win32.Warezov.pk, Email-Worm.Win32.Womble.d
  • Moved up: Worm.Win32.Feebs.gen, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.Nyxem.e, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.NetSky.b, Email-Worm.Win32.NetSky.x, Net-Worm.Win32.Mytob.t, Net-Worm.Win32.Mytob.u
  • Moved down: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.t, Email-Worm.Win32.NetSky.aa, Virus.Win32.Grum.a
  • Re-entry: Email-Worm.Win32.Mydoom.m, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.Zhelatin.dam, Email-Worm.Win32.LovGate.w